15 aaa radius hwtacacs command

7/28/2019 15 Aaa Radius Hwtacacs Command

http://slidepdf.com/reader/full/15-aaa-radius-hwtacacs-command 1/84

Command Manual – AAA&RADIUS&HWTACACSQuidway S3500-EA Series Ethernet Switches Table of Contents

Huawei Proprietary and Confidential

Copyright © Huawei Technologies Co., Ltd

i

Table of Contents

Chapter 1 AAA & RADIUS & HWTACACS Configuration Commands ..................................... 1-1 1.1 AAA Configuration Commands.......................................................................................... 1-1

1.1.1 access-limit.............................................................................................................. 1-1 1.1.2 accounting default ................................................................................................... 1-2 1.1.3 accounting lan-access............................................................................................. 1-3 1.1.4 accounting login ...................................................................................................... 1-4 1.1.5 accounting optional ................................................................................................. 1-5 1.1.6 attribute ................................................................................................................... 1-6 1.1.7 authentication default.............................................................................................. 1-7 1.1.8 authentication lan-access........................................................................................ 1-8 1.1.9 authentication login ................................................................................................. 1-9 1.1.10 authorization command....................................................................................... 1-11 1.1.11 authorization default............................................................................................ 1-11 1.1.12 authorization lan-access ..................................................................................... 1-13 1.1.13 authorization login............................................................................................... 1-14 1.1.14 cut connection..................................................................................................... 1-15 1.1.15 display connection............................................................................................... 1-16 1.1.16 display domain .................................................................................................... 1-17 1.1.17 display local-user ................................................................................................ 1-19 1.1.18 domain................................................................................................................. 1-21 1.1.19 domain default..................................................................................................... 1-21 1.1.20 idle-cut................................................................................................................. 1-22 1.1.21 level ..................................................................................................................... 1-23 1.1.22 local-user............................................................................................................. 1-24 1.1.23 local-user password-display-mode...................................................................... 1-25 1.1.24 password............................................................................................................. 1-25 1.1.25 self-service-url..................................................................................................... 1-26 1.1.26 service-type......................................................................................................... 1-27 1.1.27 service-type ftp.................................................................................................... 1-28 1.1.28 state..................................................................................................................... 1-29

1.2 RADIUS Configuration Commands ................................................................................. 1-30 1.2.1 data-flow-format .................................................................................................... 1-30 1.2.2 display local-server statistics................................................................................. 1-31 1.2.3 display radius ........................................................................................................ 1-32 1.2.4 display radius statistics ......................................................................................... 1-34 1.2.5 display stop-accounting-buffer .............................................................................. 1-35 1.2.6 key......................................................................................................................... 1-37 1.2.7 local-server............................................................................................................ 1-38



Table of ContentsCommand Manual – AAA&RADIUS&HWTACACS

Quidway S3500-EA Series Ethernet Switches

ii Huawei Proprietary and Confidential


1.2.8 local-server nas-ip................................................................................................. 1-39 1.2.9 nas-ip..................................................................................................................... 1-40 1.2.10 primary accounting.............................................................................................. 1-41 1.2.11 primary authentication......................................................................................... 1-42 1.2.12 radius client ......................................................................................................... 1-43 1.2.13 radius nas-ip........................................................................................................ 1-44 1.2.14 radius scheme..................................................................................................... 1-45 1.2.15 radius trap ........................................................................................................... 1-46 1.2.16 reset local-server statistics.................................................................................. 1-47 1.2.17 reset radius statistics........................................................................................... 1-47 1.2.18 reset stop-accounting-buffer ............................................................................... 1-48 1.2.19 retry ..................................................................................................................... 1-49 1.2.20 retry realtime-accounting..................................................................................... 1-50 1.2.21 retry stop-accounting........................................................................................... 1-51 1.2.22 secondary accounting ......................................................................................... 1-52 1.2.23 secondary authentication .................................................................................... 1-53 1.2.24 server-type .......................................................................................................... 1-54 1.2.25 state..................................................................................................................... 1-55 1.2.26 stop-accounting-buffer enable............................................................................. 1-56 1.2.27 timer quiet............................................................................................................ 1-57 1.2.28 timer realtime-accounting.................................................................................... 1-58 1.2.29 timer response-timeout ....................................................................................... 1-59 1.2.30 user-name-format................................................................................................ 1-60

1.3 HWTACACS Configuration Commands .......................................................................... 1-61 1.3.1 data-flow-format .................................................................................................... 1-61 1.3.2 display hwtacacs................................................................................................... 1-62 1.3.3 display stop-accounting-buffer .............................................................................. 1-64 1.3.4 hwtacacs nas-ip..................................................................................................... 1-65 1.3.5 hwtacacs scheme.................................................................................................. 1-66 1.3.6 key......................................................................................................................... 1-67 1.3.7 nas-ip..................................................................................................................... 1-67 1.3.8 primary accounting................................................................................................ 1-68 1.3.9 primary authentication........................................................................................... 1-69 1.3.10 primary authorization........................................................................................... 1-70 1.3.11 reset hwtacacs statistics ..................................................................................... 1-71 1.3.12 reset stop-accounting-buffer ............................................................................... 1-72 1.3.13 retry stop-accounting........................................................................................... 1-73 1.3.14 secondary accounting ......................................................................................... 1-73 1.3.15 secondary authentication .................................................................................... 1-74 1.3.16 secondary authorization...................................................................................... 1-75 1.3.17 stop-accounting-buffer enable............................................................................. 1-76 1.3.18 timer quiet............................................................................................................ 1-77



Command Manual – AAA&RADIUS&HWTACACSQuidway S3500-EA Series Ethernet Switches Table of Contents



iii

1.3.19 timer realtime-accounting.................................................................................... 1-78 1.3.20 timer response-timeout ....................................................................................... 1-79 1.3.21 user-name-format................................................................................................ 1-79



Command Manual – AAA&RADIUS&HWTACACSQuidway S3500-EA Series Ethernet Switches

Chapter 1 AAA & RADIUS & HWTACACSConfiguration Commands



1-1

Chapter 1 AAA & RADIUS & HWTACACS

Configuration Commands

1.1 AAA Configuration Commands

1.1.1 access-limit

Syntax

access-limit { disable | enable max-user-number }

undo access-limit

View

ISP domain view

Parameter

disable: Specifies not to limit the number of access users that can be contained in

current ISP domain.

enable max-user-number : Specifies the maximum number of access users that can be

contained in current ISP domain. Where, max-user-number ranges from 1 to 1024.

Description

Use the access-limit command to set the maximum number of access users that can

be contained in current ISP domain.

Use the undo access-limit command to restore the default maximum number.

By default, the number of access users that can be contained in current ISP domain is

unlimited.

Because resource contention may occur between access users, there is a need to

properly limit the number of access users in an ISP domain to provide reliable

performance to the users in the ISP domain.

Example

# Allow ISP domain aabbc.net to contain at most 500 access users.

<Sysname>system-view

System View: return to User View with Ctrl+Z.

[Sysname]domain aabbcc.net

[Sysname-isp-aabbcc.net] access-limit enable 500





1-2 Huawei Proprietary and Confidential


1.1.2 accounting default

Syntax

accounting default { radius-scheme radius-scheme-name [ local ] |hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none }

undo accounting default

View

ISP domain view

Parameter

radius-scheme-name : Name of RADIUS scheme, a string not exceeding 32 characters.

hwtacacs-scheme-name: Name of HWTACACS scheme, a string not exceeding 32characters.

local: Local accounting.

none: No accounting.

Description

Use the accounting default command to configure an accounting scheme for all

users.

Use the undo accounting default command to restore the default accounting scheme

for all users.

By default, the local scheme is configured.

It should be noted that:

z The accounting scheme configured by the accounting default command is

applicable to all users. The priority of this configuration is lower than that of a

specific access mode.

z Local accounting is only used to support the management of local user

connections without real statistical function. The management of local connections

takes effect for local accounting rather than local authentication and authorization.

z In the login access mode, accounting is not supported for FTP services.

Related command: authentication default and authorization default.

Example

# In the default ISP domain named system, configure local as the default accounting

scheme for all users.



[Sysname] domain system

[Sysname-isp-system] accounting default local







1-3

# In the default ISP domain named system, configure radius as the default accounting

scheme named rd for all users and local as backup accounting. Note that the rd

scheme must be already configured. Related command: radius scheme.

<Sysname>system-viewSystem View: return to User View with Ctrl+Z.


[Sysname-isp-system] accounting default radius-scheme rd local

# In the default ISP domain named system, restore the default accounting scheme for

all users.




[Sysname-isp-system] undo accounting default

1.1.3 accounting lan-access

Syntax

accounting lan-access { radius-scheme radius-scheme-name [ local ] | local

| none }

undo accounting lan-access

View

ISP domain view

Parameter




Description

Use the accounting lan-access command to configure accounting for a lan-access

user. Use the undo accounting lan-access command to remove accounting for a

lan-access user.

Related command: accounting default.

Example

# In the default ISP domain named system, configure local as the accounting scheme

for the lan-access user.










[Sysname-isp-system]accounting lan-access local

# In the default ISP domain named system, configure radius as the accounting scheme

named rd for the lan-access user and local as backup accounting. Note that the rdscheme must be already configured. Related command: radius scheme.




[Sysname-isp-system] accounting lan-access radius-scheme rd local

# In the default ISP domain named system, remove the accounting scheme for the

lan-access user.




[Sysname-isp-system] undo accounting lan-access

1.1.4 accounting login

Syntax

accounting login { radius-scheme radius-scheme-name [ local ] |

hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none }

undo accounting login

View

ISP domain view

Parameter


hwtacacs-scheme-name: Name of HWTACACS scheme, a string not exceeding 32

characters.



Description

Use the accounting login command to configure accounting for the login user.

Use the undo accounting login command to remove accounting for the login user.

Related command: accounting default.







1-5

Example

# In the default ISP domain named system, configure local as the accounting scheme

for the login user.




[Sysname-isp-system] accounting login local

# In the default ISP domain named system, configure radius as the accounting scheme

named rd for the login user and local as backup accounting. Note that the rd scheme

must be already configured. Related command: radius scheme.




[Sysname-isp-system] accounting login radius-scheme rd local

# In the default ISP domain named system, remove the accounting scheme for the login

user.




[Sysname-isp-system] undo accounting login

1.1.5 accounting optional

Syntax

accounting optional

undo accounting optional

View

ISP domain view

Parameter

None

Description

Use the accounting optional command to open the accounting-optional switch.

Use the undo accounting optional command to close the accounting-optional switch.

By default, the accounting-optional switch is closed.

Note that:







z When the system charges an online user but it does not find any available

RADIUS accounting server or fails to communicate with any RADIUS accounting

server, the user can continue the access to network resources if the accounting

optional command has been used; otherwise, the user is disconnected from the

system. The accounting optional command is often used in the cases where

only authentication is needed and no accounting is needed.

z With the accounting optional command executed, the system does not send real

time accounting updating packets and accounting-stop packets to all users in

RADIUS scheme.

Example

# Open the accounting-optional switch for the ISP domain named aabbcc.net.

<Sysname> system-view


[Sysname] domain aabbcc.net

[Sysname-isp-aabbcc.net] accounting optional

1.1.6 attribute

Syntax

attribute { ip ip-address | mac mac-address | idle-cut minute | access-limit

max-user-number | vlan vlan-id | location { nas-ip ip-address port portnum | port

portnum } } *

undo attribute { ip | mac | idle-cut | access-limit | vlan | location }*

View

Local user view

Parameter

ip ip-address: Sets the IP address of the user. The attribute ip command for a local

user only applies to Huawei 802.1x clients. If you configure this command on a non-

Huawei client, local authentication will fail.mac mac-address: Sets the MAC address of the user. Where, mac-address is in H-H-H

format.

idle-cut minute: Allows the local user to enable the idle-cut function. Where, minute is

the idle time before cutting down, which ranges from 1 minutes to 120 minutes.

access-limit max-user-number : Sets the maximum number of users who can access

the switch with current user name. Where, max-user-number ranges from 1 to 1024.

vlan vlan-id : Sets the VLAN attribute of the user (that is, which VLAN the user belongs

to). Where, vlan-id is an integer ranging from 1 to 4094.

location: Sets the port binding attribute of the user.







1-7

nas-ip ip-address: Sets the IP address of the remote access server port to which the

user is bound to. Where, ip-address is in dotted decimal notation and is 127.0.0.1

(representing this device) by default. If the user is bound to a remote port, you must

specify the nas-ip parameter. If the user is bound to a local port, you need not specifythe nas-ip parameter.

port port-number : Sets the port bound with the user.

Description

Use the attribute command to set the attributes of a user whose service type is

lan-access.

Use the undo attribute command to cancel attribute settings of the user.

Related command: display local-user .

Example

# Set the IP address of user1 to 10.110.50.1.



[Sysname] local-user user1

[Sysname-luser-user1] attribute ip 10.110.50.1

1.1.7 authentication default

Syntax

authentication default { radius-scheme radius-scheme-name [ local ] |


undo authentication default

View

ISP domain view

Parameter



characters

local: Local authentication.

none: No authentication.

Description

Use the authentication default command to configure authentication scheme for all

users.







Use the undo authentication default command to restore the default authentication


By default, the local authentication is used.

The authentication scheme configured by the authentication default command is

applicable to all users. But its priority is lower than that configured by a special access

mode.

Related command: authorization default and accounting default.

Example

# In the default ISP domain named system, configure local as the default

authentication for all users.




[Sysname-isp-system] authentication default local

# In the default ISP domain named system, configure radius as the default

authentication scheme named rd for all users and local as backup authentication. Note

that the rd scheme must be already configured. Related command: radius scheme.




[Sysname-isp-system] authentication default radius-scheme rd local

# In the default ISP domain named system, restore the default authentication scheme

for all users.




[Sysname-isp-system] undo authentication default

1.1.8 authentication lan-access

Syntax

authentication lan-access { radius-scheme radius-scheme-name [ local ] | local |

none }

undo authentication lan-access

View

ISP domain view







1-9

Parameter




Description

Use the authentication lan-access command to configure authentication scheme for

a lan-access user.

Use the undo authentication lan-access command to remove authentication scheme

for a lan-access user.

Related command: authentication default.

Example

# In the default ISP domain named system, configure local as the authentication

scheme for the lan-access user.




[Sysname-isp-system] authentication lan-access local


authentication named rd for the lan-access user and local as backup authentication.Note that rd authentication must be already configured. Related command: radius

scheme.




[Sysname-isp-system] authentication lan-access radius-scheme rd local

# In the default ISP domain named system, remove the authentication scheme for the

lan-access user.



[Sysname-isp-system] undo authentication lan-access

1.1.9 authentication login

Syntax

authentication login { radius-scheme radius-scheme-name [ local ] |








undo authentication login

View

ISP domain view

Parameter



characters.



Description

Use the authentication login command to configure authentication for a login user.

Use the undo authentication login command to remove authentication for a login

user.

Related command: authentication default.

Example

# In the default ISP domain named system, configure local as the authentication

scheme for the login user.




[Sysname-isp-system] authentication login local


authentication named rd for the login user and local as backup authentication. Note

that the rd authentication must be already configured. Related command: radius

scheme.


System View: return to User View with Ctrl+Z.[Sysname] domain system

[Sysname-isp-system] authentication login radius-scheme rd local

# In the default ISP domain named system, remove the authentication scheme for the

login user.




[Sysname-isp-system] undo authentication login







1-11

1.1.10 authorization command

Syntax

authorization command hwtacacs-scheme hwtacacs-scheme-name

undo authorization command

View

ISP domain view

Parameter

hwtacacs-scheme-name : Name of a HWTACACS scheme, a string of up to 32

characters.

Description

Use the authorization command command to configure the authorization scheme for

a CLI user

Use the undo authorization command command to remove the authorization

scheme for a CLI user

Related command: authorization default.

Example

# In the default ISP domain named system, configure HWTACACS as the authorizationscheme named hw for the CLI user. Note that the hw authorization must be already

configured. Related command: hwtacacs scheme.




[Sysname-isp-system] authorization command hwtacacs-scheme hw

1.1.11 authorization default

Syntax

authorization default { radius-scheme radius-scheme-name [ local ] |


undo authorization default

View

ISP domain view

Parameter








hwtacacs-scheme-name : Name of HWTACACS scheme, a string not exceeding 32

characters.

local: Local authorization.

none: Direct authorization. In this case, the user passes the authentication directly, but

only owns the default rights.

Description

Use the authorization default command to configure the default authorization for all

users.

Use the undo authorization default command to restore the default authorization


By default, the local authorization is used.

It should be noted that:

z The authorization scheme configured by the authorization default command is

applicable to all users. Its priority is lower than that configured by a specified

access mode.

z As a special procedure, RADIUS authorization takes effect when the radius

schemes for authentication and authorization are similar. In case of failure to all

RADIUS authorization, the reason returned to NAS is that the Server did not

respond.

Related command: authentication default and accounting default.

Example

# In the default ISP domain named system, configure local as the default authorization

for all users.




[Sysname-isp-system] authorization default local


authorization named rd for all users and local as backup authorization. Note that the rd





[Sysname-isp-system] authorization default radius-scheme rd local

# In the default ISP domain named system, restore the default authorization scheme for

all users.








1-13



[Sysname-isp-system] undo authorization default

1.1.12 authorization lan-access

Syntax

authorization lan-access { radius-scheme radius-scheme-name [ local ] | local |

none }

undo authorization lan-access

View

ISP domain view

Parameter


local: Local authorization.



Description

Use the authorization lan-access command to configure authorization for a

lan-access user.

Use the undo authorization lan-access command to remove authorization for a

lan-access user.


Example

# In the default ISP domain named system, configure local as the authorization

scheme for the lan-access user.



[Sysname-isp-system]authorization lan-access local

# In the default ISP domain named system, configure radius as the authorization

scheme named rd for the lan-access user and local as backup authorization. Note that

the rd scheme must be already configured. Related command: radius scheme.










[Sysname-isp-system] authorization lan-access radius-scheme rd local

# In the default ISP domain named system, remove the authorization scheme for the

lan-access user.




[Sysname-isp-system] undo authorization lan-access

1.1.13 authorization login

Syntax

authorization login { radius-scheme radius-scheme-name [ local ] |

hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none }undo authorization login

View

ISP domain view

Parameter



characters. local: Local authorization.



Description

Use the authorization login command to configure authorization for a login user.

Use the undo authorization login command to remove authorization for a login user.


Example

# In the default ISP domain named system, configure local as the authorization

scheme for the login user.




[Sysname-isp-system] authorization login local







1-15

# In the default ISP domain named system, configure radius as the authorization

scheme named rd for the login user and local as backup authorization. Note that the rd




[Sysname-isp-system] authorization login radius-scheme rd local

# In the default ISP domain named system, remove the authorization scheme for the

login user.




[Sysname-isp-system] undo authorization login

1.1.14 cut connection

Syntax

cut connection { all | access-type { dot1x | mac-authentication } | domain

domain-name | interface interface-type interface-number | ip ip-address | mac

mac-address | vlan vlan-id | ucibindex ucib-index | user-name user-name }

View

System view

Parameter

all: Cuts down all user connections.

access-type { dot1x | mac-authentication }: Cuts down user connections using the

specified access method. dot1x is used to cut down all 802.1x user connections, and

mac-authentication is used to cut down all MAC authentication user connections.

domain isp-name: Cuts down all user connections in the specified ISP domain. Where,

isp-name is the name of an ISP domain. It is a character string of up to 24 characters.

You can only specify an existing ISP domain.

interface interface-type interface-number : Cuts down all user connections under the

specified port. Where interface-type is the port type and interface-number is the port

number.

ip ip-address: Cuts down the connection of the user with the specified IP address.

mac mac-address: Cuts down the user connection with the specified MAC address.

Where, mac-address is in the H-H-H format.

vlan vlan-id : Cuts down all user connections of the specified VLAN. Where, vlan-id

ranges from 1 to 4094.







ucibindex ucib-index : Cuts down the user connection with the specified connection

index. Where, ucib-index ranges from 0 to 4294967295.

user-name user-name: Cuts down the user connection of the specified user. Where,

user-name is a character string of up to 80 characters. The string cannot contain thefollowing characters: /:*?<>. It can contain no more than one @ character. The pure

user name (user ID, that is, the part before @) cannot contain more than 55 characters,

Description

Use the cut connection command to cut down one user connection or one type of user

connections forcibly.

This command cannot cut down the connections of Telnet, SSH and FTP users.

Related command: display connection.

Example

# Cut down all user connections in the ISP domain named aabbcc.net.



[Sysname] cut connection domain aabbcc.net

1.1.15 display connection

Syntax

display connection [ access-type { dot1x | mac-authentication } | domain

domain-name | interface interface-type interface-number | ip ip-address | mac

mac-address | vlan vlan-id | ucibindex ucib-index | user-name user-name ]

View

Any view

Parameter

access-type { dot1x | mac-authentication }: Displays the user connections in

specified access mode. Where, dot1x is used to display all 802.1x user connections,

and mac-authentication is used to display all MAC authentication user connections.

domain isp-name: Displays all user connections under the specified ISP domain.

Where, isp-name is the name of an ISP domain, a character string of up to 24

characters. You can only specify an existing ISP domain.

interface interface-type interface-number : Displays all user connections on the

specified port.

ip ip-address: Displays all user connections with the specified IP address.







1-17

mac mac-address: Displays the connection of the user with the specified MAC address.

Where, mac-address is in dotted hexadecimal notation (in the form of H.H.H).

vlan vlan-id : Displays all user connections of the specified VLAN. Where, vlan-id


ucibindex ucib-index : Displays the user connection with the specified connection

index. Where, ucib-index ranges from 0 to 4294967295.

user-name user-name: Displays the user connection with the specified user name.

Where, user-name is a character string in the format of pure-username@domain-name.

The pure-username cannot be longer than 55 characters, and the whole string cannot

be longer than 80 characters.

Description

Use the display connection command to display information about specified or alluser connections.

If you execute this command without specifying any parameter, all user connections will

be displayed.

This command cannot display information about the connections of the FTP users.

Related command: cut connection.

Example

# Display information about all user connections.

<Sysname> display connection

Total 0 connections matched ,0 listed.

1.1.16 display domain

Syntax

display domain [ isp-name ]

View

Any view

Parameter

isp-name: Name of an ISP domain, a character string of up to 24 characters. This must

be the name of an existing ISP domain.

Description

Use the display domain command to display the configuration information about one

specific or all ISP domains.

Related command: access-limit, domain and state.







Example

# Display the configuration information about all ISP domains.

<Sysname>display domain

0 Domain = system

State = Active

Access-limit = Disable

Accounting method = Required

Default authentication scheme : local

Default authorization scheme : local

Default accounting scheme : local

Domain User Template:

Idle-cut = Disable

Self-service = Disable

Default Domain Name: system

Total 1 domain(s).

Table 1-1 Description on the fields of the display domain command

Field Description

Domain Domain name

State State

Access-Limit Limit on the number of access users

Accounting method Accounting method

default Authentication scheme default Authorization scheme

default Authorization scheme default Authorization scheme

default Accounting scheme default Accounting scheme

Domain User Template Domain user template

Idle-Cut State of the idle-cut function

Self-service State of the self service

Default Domain Name Default domain name

Total 1 domain(s) There is totally one domain







1-19

1.1.17 display local-user

Syntax

display local-user [ domain isp-name | idle-cut { disable | enable } | vlan vlan-id |service-type { lan-access | telnet | ssh | terminal | ftp } | state { active | block } |

user-name user-name ]

View

Any view

Parameter

domain isp-name: Displays all local users belonging to the specified ISP domain.

Where, isp-name is the name of an ISP domain, a character string of up to 24

characters. You can only specify an existing ISP domain.

idle-cut { disable | enable }: Displays the local users who are inhibited from enabling

the idle-cut function, or the local users who are allowed to enable the idle-cut function.

Where, disable specifies the inhibited local users and enable specifies the allowed

local users.

vlan vlan-id : Displays the local users belonging to the specified VLAN. Where, vlan-id


service-type: Displays the local users of the specified type. You can specify one of the

following user types: lan-access (generally, this type of users are Ethernet accessusers, for example, 802.1x users), telnet (for Telnet users), ssh (for SSH users),

terminal (this type of users are terminal users who log into the switch through the

Console port), and ftp for FTP users.

state { active | block }: Displays the local users in the specified state. Where active

represents the users allowed to request network services, and block represents the

users inhibited to request network services.

user-name user-name: Displays the local user who has the specified user name.

Where, user-name is a character string of up to 80 characters. The string cannot

contain the following characters: /:*?<>. It can contain no more than one @ character.The pure user name (user ID, that is, the part before @) cannot be longer than 55

characters.

Description

Use the display local-user command to display information about specified or all local

users.

Related command: local-user .







Example

# Display information about all local users.

<Sysname> display local-user

The contents of local user user1:

State: Active

ServiceType: lan-access/telnet

Idle-cut: Disable

Access-limit: Disable Current AccessNum: 0

Bind location: Disable

Vlan ID: Disable

IP address: Disable

MAC address: Disable

User Privilege: 3Total 1 local user(s) Matched,1 listed..

Table 1-2 Description on the fields of the display local-user command

Field Description

State State of the local user: Active or Block

ServiceTypeServiceType (ftp, lan-access, ssh,telnet, or terminal)

Idle-Cut State of the idle-cut function

Access-Limit Limit on the number of access users

Current AccessNum Number of current access users

Bind location Whether or not bound to a port

Vlan ID VLAN of the user

IP address IP address of the user

MAC address MAC address of the user

User Privilege User Privilege

Note:

When the local RADIUS authentication server (local-server ) is enabled, the value of

“Current AccessNum” may be inconsistent with the actual number of accessed users

and the displayed value here is just for reference.







1-21

1.1.18 domain

Syntax

domain isp-name

undo domain isp-name

View

System view

Parameter

isp-name: Name of a ISP domain, a character string of 1 to than 24 characters

(case-insensitive). This string cannot contain the following characters: /:*?<>@.

default: Manually configures the default ISP domain, which is "system" by default.There is one and only one default ISP domain.

disable: Disables the configured default ISP domain.

enable: Enables the configured default ISP domain.

Description

Use the domain command to create an ISP domain and enter its view, or enter the view

of an existing ISP domain, or configure the default ISP domain.

Use the undo domain command to delete a specified ISP domain.

After you execute the domain command, the system creates an ISP domain if the

specified ISP domain does not exist. Once an ISP domain is created, it is in the active

state.

Related command: state, display domain.

Example

# Create a new ISP domain "aabbcc.net" and enter its view.



[Sysname-isp-aabbcc.net]

1.1.19 domain default

Syntax

domain default { disable | enable isp-name }

View

System view







Parameter

disable: Disables the specified ISP domain from being configured as the default.

enable: Configures the specified ISP domain as the default.

isp-name: ISP domain name.

Description

Use the domain default command to configure the default ISP domain manually.

The default ISP domain is "system".

Note that:

z There is one and only one default ISP domain.

z You can manually configure only an existing domain as the default ISP domain.

z To remove the default ISP domain defined, you need to use the domain default disable command first.

Related command: state, display domain

Example

# Create a new ISP domain with the name "aabbcc.net" and configure it as the default

ISP domain.



[Sysname-isp-aabbcc.net] quit[Sysname] domain default enable aabbcc.net

1.1.20 idle-cut

Syntax

idle-cut { disable | enable minute }

View

ISP domain view

Parameter

disable: Inhibits users from enabling the idle-cut function.

enable: Allows users to enable the idle-cut function.

minute: Maximum idle time, ranging from 1 minute to 120 minutes.

Description

Use the idle-cut command to set the user idle-cut function in current ISP domain.

By default, this function is disabled.







1-23

Related command: domain.

Example

# Allow users in ISP domain aabbcc.net to enable the idle-cut attribute in user template(that is, allow the user to use the idle-cut function), with the maximum idle time of 50

minutes.




[Sysname-isp-aabbcc.net] idle-cut enable 50

1.1.21 level

Syntax

level level

undo level

View

Local user view

Parameter

level : Priority level of the user. It is an integer ranging from 0 to 3 and defaulting to 0.

Description

Use the level command to set the priority level of the user.

Use the undo level command to restore the default priority level of the user.

Note that:

z If the configured authentication method is none or requires a password, the

command level that a user can access after login is determined by the level of the

user interface.

z If the configured authentication method requires a user name and a password, the

command level that a user can access after login is determined by the priority level

of the user. For SSH users, when they use RSA shared keys for authentication,

the commands they can access are determined by the levels sets on the user

interfaces.

Related command: local-user .

Example

# Set the level of user1 to 3.










[Sysname-luser-user1] level 3

1.1.22 local-user

Syntax

local-user user-name

undo local-user { user-name | all [ service-type { lan-access | telnet | ssh | terminal

| ftp } ] }

View

System view

Parameter

user-name: Name of the local user, a character string of up to 80 characters. This string

cannot contain the following characters: /:*?<>. It can contain no more than one @

character. The pure user name (user ID, that is, the part before @) cannot be longer

than 55 characters. User names are case-sensitive. For example, the system regards

UserA and usera as two different users.

all: Specifies all local users.

service-type: Specifies the local users of the specified type. You can specify one of the

following user types: ftp, lan-access (generally, this type of users are Ethernet access

users, for example, 802.1x users), ssh, telnet, and terminal (this type of users are

terminal users who log into the switch through the Console port).

Description

Use the local-user command to add a local user and enter local user view.

Use the undo local-user command to delete one or more specified local users.

By default, there is no local user in the system.

“a”, “al”, “all” cannot be name of the local user.

Related command: display local-user and service-type.

Example

# Add a local user named user1.




[Sysname-luser-user1]







1-25

1.1.23 local-user password-display-mode

Syntax

local-user password-display-mode { cipher-force | auto }

undo local-user password-display-mode

View

System view

Parameter

cipher-force: Adopts the forcible cipher mode so that the passwords of all local users

must be displayed in cipher text.

auto: Adopts the automatic mode so that the passwords of local users are displayed inthe modes set with the password command.

Description

Use the local-user password-display-mode command to set the password display

mode of all local users

Use the undo local-user password-display-mode command to restore the default

password display mode of all local users.

By default, the password display mode of all access users is auto.

When the cipher-force mode is adopted, all passwords will be displayed in cipher text

even through some users have specified to display their passwords in plain text by

using the password command with the simple keyword.

Related command: display local-user and password.

Example

# Specify to display all local user passwords in cipher text forcibly.



[Sysname] local-user password-display-mode cipher-force

1.1.24 password

Syntax

password { simple | cipher } password

undo password

View

Local user view







Parameter

simple: Specifies to display passwords in simple text.

cipher : Specifies to display passwords in cipher text.

password : Password you want to set, a character string.

z For simple mode, the password must be in plain text.

z For cipher mode, the password can be either in cipher text or in plain text, which it

is depends on your input.

A password in plain text can be a string with of up to 63 consecutive characters, for

example, aabbcc. Encrypted text password string can contain 24, 32, 44, 56, 64, 76, 88,

characters such as_(TT8F]Y\5SQ=^Q`MAF4<1!!.

Description

Use the password command to set a password for the local user.

Use the undo password command to cancel the password of the local user.

Note that, after the local-user password-display-mode cipher-force command is

executed, the password will be displayed in cipher text even though you use the

password command to set the display mode of the password to simple.

Related command: display local-user .

Example

# Set the password of user1 to 20030422 and specify to display the password in plaintext.




[Sysname-luser-user1] password simple 20030422

1.1.25 self-service-url

Syntax

self-service-url { disable | enable url-string }

undo self-service-url

View

ISP domain view

Parameter

url-string : URL of the web page used to modify user password on the self-service server.

It is a character string with 1 character to 64 characters. The string must begin with

"http://”, and it cannot contain the character “?”.







1-27

Description

Use the self-service-url enable command to enable the self-service server location

function

Use the self-service-url disable command to disable the self-service server location

function

Use the undo self-service-url command to restore the default state of this function.

By default, this function is disabled.

Note that:

z This command must be used with the cooperation of a self-service-supported

RADIUS server (such as CAMS). Through self-service, users can manage and

control their accounts or card numbers by themselves. A server installed with the

self-service software is called a self-service server.z After this command is executed on the switch, users can locate the self-service

server through the following operation: choose [change user password] on the

802.1x client, the client opens the default browser (for example, IE or Netscape)

and locates the specified URL page used to change user password on the

self-service server. Then, the user can change the password.

z A user can choose the [change user password] option on the client only after

passing the authentication. If the user fails the authentication, this option is in grey

and is unavailable.

Example

# Under the default ISP domain "system", set the URL of the web page used to modify

user password on the self-service server to http://10.153.89.94/selfservice/modPassw

d1x.jsp|userName.




[Sysname-isp-system] self-service-url enable

http://10.153.89.94/selfservice/modPasswd1x.jsp|userName

1.1.26 service-type

Syntax

service-type { lan-access | { telnet | ssh | terminal }* [ level level ] }

undo service-type { lan-access | { telnet | ssh | terminal }* }

View

Local user view







Parameter

lan-access: Specifies that this is a LAN access user (who is generally an Ethernet

access user, for example, 802.1x user).

telnet: Authorizes the user to access the Telnet service.

ssh: Authorizes the user to access the SSH service.

terminal: Authorizes the user to access the terminal service (that is, allows the user to

log into the switch through the Console port).

level level : Specifies the level of the Telnet, terminal or SSH user. Where, level is an

integer ranging from 0 to 3 and defaulting to 0.

Description

Use the service-type command to authorize the user to access the specified type(s) of service(s).

Use the undo service-type command to inhibit the user from accessing the specified

type(s) of service(s).

By default, the user is inhibited from accessing any type of service.

Example

# Authorize user1 to access the Telnet service.


System View: return to User View with Ctrl+Z.[Sysname] local-user user1

[Sysname-luser-user1] service-type telnet

1.1.27 service-type ftp

Syntax

service-type ftp [ ftp-directory directory ]

undo service-type ftp [ ftp-directory ]

View

Local user view

Parameter

ftp-directory directory : Specifies the directory of the FTP user, directory is a character

string of up to 64 characters.







1-29

Description

Use the service-type ftp command to configure the FTP service type and accessible

directories for users. Use the undo service-type ftp command to restore the default

settings.

By default, anonymous users cannot access the switch using FTP or are not authorized

with any FTP service; authorized FTP users can only access the root directory.

Related command: service-type.

Example

# Configure the user with FTP server type.




[Sysname-luser-user1] service-type ftp

1.1.28 state

Syntax

state { active | block }

View

ISP domain view or local user view

Parameter

active: Activates the current ISP domain (in ISP domain view) or local user (in local

user view), to allow users in current ISP domain or current local user to access the

network.

block: Hangs up the current ISP domain (in ISP domain view) or local user (in local

user view), to inhibit users in current ISP domain or current local user from accessing

the network.

Description

Use the state command to set the status of current ISP domain (in ISP domain view) or

the status of the local user (in local user view).

By default, an ISP domain is in the active state once it is created, and a local user is in

the active state once the user is created.

After an ISP domain is set to the block state, except the online users, the users under

this domain are not allowed to access the network.

After the local user is set to the block state, the user is not allowed to access the

network.







Related command: domain.

Example

# Set the ISP domain aabbcc.net to the block state, so that all its offline users cannotaccess the network.




[Sysname-isp-aabbcc.net] state block

# Set user1 to the block state.



[Sysname-luser-user1] state block

1.2 RADIUS Configuration Commands

1.2.1 data-flow-format

Syntax

data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet

{ giga-packet | kilo-packet | mega-packet | one-packet } }*

undo data-flow-format { data | packet }

View

RADIUS scheme view

Parameter

data: Sets the unit of measure for data.

byte: Specifies to measure data in bytes.

giga-byte: Specifies to measure data in gigabytes.

kilo-byte: Specifies to measure data in kilobytes.

mega-byte: Specifies to measure data in megabytes.

packet: Sets the unit of measure for packets.

giga-packet: Specifies to measure packets in giga-packets.

kilo-packet: Specifies to measure packets in kilo-packets.

mega-packet: Specifies to measure packets in mega-packets.

one-packet: Specifies to measure packets in packets.







1-31

Description

Use the data-flow-format command to set the units of data flows sent to RADIUS

servers.

Use the undo data-flow-format command to restore the default units of data flows

sent to RADIUS servers.

By default, the unit of measure for data is byte and that for packets is one-packet.

Related command: display radius.

Example

# Specify to measure data and packets in data flows sent to RADIUS server in kilobytes

and kilo-packets respectively.



[Sysname] radius scheme radius1

[Sysname-radius-radius1] data-flow-format data kilo-byte packet kilo-packet

1.2.2 display local-server statistics

Syntax

display local-server statistics

View

Any view

Parameter

None

Description

Use the display local-server statistics command to display the statistics about all

local RADIUS authentication servers.

Related command: local-server .

Example

# Display the statistics about local RADIUS authentication server.

<Sysname> display local-server statistics

The localserver packet statistics:

Receive: 30 Send: 30

Discard: 0 Receive Packet Error: 0

Auth Receive: 10 Auth Send: 10

Acct Receive: 20 Acct Send: 20







Table 1-3 Description on the fields of the display local-server statistics command

Field Description

Receive Number of packets received

Send Number of packets sent

Discard Number of packets dropped

Receive Packet Error Number of error packets received

Auth Receive Number of authentication packets received

Auth Send Number of authentication packets sent

Acct Receive Number of accounting packets received

Acct Send Number of accounting packets sent

1.2.3 display radius

Syntax

display radius [ radius-scheme-name ]

View

Any view

Parameter

radius-scheme-name : Name of a RADIUS scheme, a character string of up to 32

characters.

Description

Use the display radius scheme command to display the configuration information

about one specific or all RADIUS schemes

Related command: radius scheme.

Example

# Display the configuration information about all RADIUS schemes.

<Sysname> display radius

------------------------------------------------------------------

SchemeName =system

Index=0 Type=huawei

Primary Auth IP =127.0.0.1 Port=1645 State=block

Primary Acct IP =127.0.0.1 Port=1646 State=block

Second Auth IP =0.0.0.0 Port=1812 State=block

Second Acct IP =0.0.0.0 Port=1813 State=block







1-33

Auth Server Encryption Key= huawei

Acct Server Encryption Key= huawei

Interval for timeout(second) =3

Retransmission times for timeout =3

Interval for realtime accounting(minute) =12

Retransmission times of realtime-accounting packet =5

Retransmission times of stop-accounting packet =500

Quiet-interval(min) =5

Username format =without-domain

Data flow unit =Byte

Packet unit =one

------------------------------------------------------------------

Total 1 RADIUS scheme(s).

Table 1-4 Description on the fields of the display radius command

Field Description

SchemeName Name of the RADIUS scheme

Index Index number of the RADIUS scheme

Type Type of the RADIUS servers

Primary Auth IP/ Port/ StateIP address/access port status of theprimary authentication server

Primary Acct IP/ Port/ StateIP address/access port status of theprimary accounting server

Second Auth IP/ Port/ StateIP address/access port status of thesecondary authentication server

Second Acct IP/ Port/ StateIP address/access port status of thesecondary accounting server

Auth Server Encryption Key Shared key of the authentication servers

Acct Server Encryption Key Shared key of the accounting servers

Interval for timeout(second) RADIUS server response timeout time

Retransmission times for timeout Retransmission times for timeout

Interval for realtime accounting(minute) Interval for realtime accounting

Retransmission times of realtime-accounting packet

Retransmission times of realtime-accounting packet

Retransmission times of stop-accounting packet

Retransmission times of stop-accounting packet

Quiet-interval(min)Wait time for the primary servers torestore the active state

Username format User name format







Field Description

Data flow unit Unit of measure for data in data flows

Packet unit Unit of measure for packets

Total 1 RADIUS scheme(s) There is a total of one RADIUS scheme.

1.2.4 display radius statistics

Syntax

display radius statistics

View

Any view

Parameter

None

Description

Use the display radius statistics command to display the statistics about RADIUS

packets.


Example

# Display the statistics about RADIUS packets.

<Sysname> display radius statistics

state statistic(total=1024):

DEAD=1024 AuthProc=0 AuthSucc=0

AcctStart=0 RLTSend=0 RLTWait=1

AcctStop=0 OnLine=1 Stop=0

StateErr=0

Received and Sent packets statistic:

Sent PKT total :38 Received PKT total:2

Resend Times Resend total

1 12

2 12

Total 24

RADIUS received packets statistic:

Code= 2,Num=1 ,Err=0








1-35


Code=11,Num=0 ,Err=0

Running statistic:

RADIUS received messages statistic:

Normal auth request , Num=13 , Err=0 , Succ=13

EAP auth request , Num=0 , Err=0 , Succ=0

Account request , Num=1 , Err=0 , Succ=1

Account off request , Num=0 , Err=0 , Succ=0

PKT auth timeout , Num=36 , Err=12 , Succ=24

PKT acct_timeout , Num=0 , Err=0 , Succ=0

Realtime Account timer , Num=0 , Err=0 , Succ=0

PKT response , Num=2 , Err=0 , Succ=2

EAP reauth_request , Num=0 , Err=0 , Succ=0

PORTAL access , Num=0 , Err=0 , Succ=0

Update ack , Num=0 , Err=0 , Succ=0

PORTAL access ack , Num=0 , Err=0 , Succ=0

Session ctrl pkt , Num=0 , Err=0 , Succ=0

RADIUS sent messages statistic:

Auth accept , Num=0

Auth reject , Num=0

EAP auth replying , Num=0

Account success , Num=0

Account failure , Num=0

Cut req , Num=0

RecError_MSG_sum:0 SndMSG_Fail_sum :0

Timer_Err :0 Alloc_Mem_Err :0

State Mismatch :0 Other_Error :0

No-response-acct-stop packet =0

Discarded No-response-acct-stop packet for buffer overflow =0

1.2.5 display stop-accounting-buffer

Syntax

display stop-accounting-buffer { radius-scheme radius-scheme-name | session-id

session-id | time-range start-time stop-time | user-name user-name }

View

Any view







Parameter

radius-scheme radius-scheme-name : Displays the buffered stop-accounting requests

of the specified RADIUS scheme. Where, radius-scheme-name is a character string of

up to 32 characters.

session-id session-id : Displays the buffered stop-accounting requests of the specified

session ID. Where, session-id is a character string of up to 50 characters.

time-range start-time stop-time: Displays the buffered stop-accounting requests in the

specified request time range. Where, start-time is the start time of the request time

range, and the earliest time can be 00:00:00-01/01/1970. stop-time is the end time of

the request time range, and both are in the format hh:mm:ss-mm/dd/yyyy or

hh:mm:ss-yyyy/mm/dd. This parameter is used to display the buffered stop-accounting

requests from the start time to the end time.

user-name user-name: Displays the buffered stop-accounting requests of the specified

user. Where, user-name is a character string of up to 80 characters.

Description

Use the display stop-accounting-buffer command to display the no-response

stop-accounting request packets buffered in the device.

Note:

z You can choose to display the buffered stop-accounting packets of a specified

RADIUS scheme, session ID, or user name. You can also specify a time range to

display those which are sent within the specified time range. The displayed packet

information helps you to diagnose and resolve problems relevant to RADIUS.

z When the switch sends out a stop-accounting packet but gets no response from the

RADIUS server, it first buffers the packet and then retransmits it until the maximum

number of retransmission attempts (set by the retry stop-accounting command) is

reached.

Related command: reset stop-accounting-buffer , stop-accounting-buffer enable

and retry stop-accounting.

Example

# Display the buffered stop-accounting requests from 0:0:0 08/31/2002 to 23:59:59

08/31/2002.

<Sysname> display stop-accounting-buffer time-range 0:0:0-08/31/2002

23:59:59-08/31/2002

Total find 0 record(s)







1-37

1.2.6 key

Syntax

key { accounting | authentication } string

undo key { accounting | authentication }

View

RADIUS scheme view

Parameter

accounting: Specifies to set a shared key for the RADIUS accounting packets.

authentication: Specifies to set a shared key for the RADIUS

authentication/authorization packets.

string : Shared key, a character string of up to 16 characters.

Description

Use the key command to set a shared key for the RADIUS authentication/authorization

packets or accounting packets.

Use the undo key command to restore the corresponding default shared key.

Note that the shared key configured on the device and that on the RADIUS server must

be the same.

Related command: primary accounting, primary authentication and radius

scheme.

Example

# Set the shared key for the RADIUS authentication/authorization packets in RADIUS

scheme radius1 to hello.




New Radius scheme

[Sysname-radius-radius1] key authentication hello

# Set the shared key for the RADIUS accounting packets in RADIUS scheme radius1 to

ok.




New Radius scheme

[Sysname-radius-radius1] key accounting ok







1.2.7 local-server

Syntax

local-server nas-ip ip-address key password

undo local-server nas-ip ip-address

View

System view

Parameter

nas-ip ip-address: Specifies the IP address of the local RADIUS server. Where,

ip-address is in dotted decimal notation.

key password : Specifies the shared key of the authentication server and access server.Where, password is a character string of up to 16 characters.

Description

Use the local-server command to create a local RADIUS authentication server (that is,

set the related parameters of the server).

Use the undo local-server command to delete the specified local RADIUS

authentication server.

By default, a local RADIUS authentication server, with NAS-IP 127.0.0.1, has already

been created.

Note that:

z The switch not only supports the traditional RADIUS client service to accomplish

user AAA management through foreign authentication/authorization server and

accounting server, but also provides a simple local RADIUS server function for

authentication and authorization. This function is called local RADIUS

authentication server function.

z When you use the local RADIUS authentication server function, the UDP port

number for the authentication/authorization service must be 1645, the UDP port

number for the accounting service is 1646.z The packet encryption key set by the local-server command with the key

password parameter must be identical with the authentication/authorization

packet encryption key set by the key authentication command in RADIUS

scheme view.

z The switch supports at most 16 IP addresses and shared keys of the network

access server (including the default local RADIUS authentication server); that is,

when the switch serves as a RADIUS authentication server, it can support at most

16 network access servers simultaneously to provide authentication.

Related command: radius scheme and state.







1-39

Example

# Create a network access server granted by the RADIUS authentication server with an

IP address of 10.110.1.2 and a shared key of aabbcc.



[Sysname] local-server nas-ip 10.110.1.2 key aabbcc

1.2.8 local-server nas-ip

Syntax

local-server nas-ip ip-address key password

undo local-server nas-ip ip-address

View

System view

Parameter

nas-ip ip-address: Sets the IP address, represented in dotted decimal notation, of the

network access server allowed by the local RADIUS server.

key password : Sets the shared key, a string of up to 16 characters, of the local server.

Description

Use the local-server nas-ip command to configure the related parameters of the local

RADIUS server.

Use the undo local-server nas-ip command to remove a local RADIUS server

configured.

By default, the system has created a local RADIUS server with 127.0.0.1 as NAS-IP

address and a null string as shared key.

Note that:

z When the local RADIUS authentication server function is used, the UDP port

number used for authentication/authorization must be 1645 and that for

accounting must be 1646.

z The shared key configured with this command and that configured with the key

{ accounting | authentication } command in RADIUS scheme view for

authentication/authorization or accounting packets must be the same.

z The device supports up to 16 local RADIUS authentication servers.

Related command: radius scheme, state, local-server enable







Example

# Set the IP address of the network access server allowed by the local RADIUS

authentication server to 10.110.1.2 and the shared key to aabbcc.


[Sysname] local-server nas-ip 10.110.1.2 key aabbcc

1.2.9 nas-ip

Syntax

nas-ip ip-address

undo nas-ip

View

RADIUS scheme view

Parameter

ip-address: Source IP address for RADIUS packets, an IP address of this device. This

address can neither be an all-zero address, class D address or loopback address.

Description

Use the nas-ip command to set the source IP address used by the switch to send

RADIUS packets.Use the undo nas-ip command to remove the source IP address setting.

By default, the IP address of the outbound interface is used as the source IP address of

the packet.

Note:

The nas-ip command in RADIUS scheme view has the same function as the radius

nas-ip command in system view; and the priority of configuration in RADIUS scheme

view is higher than in system view.

You can specify the source IP address used to send RADIUS packets to prevent the

unreachability of the packets returned from the server due to physical interface trouble.

It is recommended to use the loopback interface address as the source IP address.

Related command: radius nas-ip.







1-41

Example

# Set the source IP address used by the switch to send the RADIUS packets to

10.1.1.1.




New Radius scheme

[Sysname-radius-radius1] nas-ip 10.1.1.1

1.2.10 primary accounting

Syntax

primary accounting ip-address [ port-number ]

undo primary accounting

View

RADIUS scheme view

Parameter

ip-address: IP address, in dotted decimal notation.

port-number : UDP port number, ranging from 1 to 65535. By default, the UDP port for

accounting service is 1813.

Description

Use the primary accounting command to set the IP address and port number of the

primary RADIUS accounting server.

Use the undo primary accounting command to restore the default IP address and

port number of the primary RADIUS accounting server.

Note that:

z You are not allowed to assign the same IP address to both primary and secondary

accounting servers; otherwise, unsuccessful operation is prompted.

z By default, the system defines the RADIUS scheme system, with the IP address of

the primary accounting server as 127.0.0.1 and port number as 1646.

Related command: key, radius scheme and state.

Example

# Set the IP address and UDP port number of the primary accounting server of the

RADIUS scheme radius1 to 10.110.1.2 and 1813.










New Radius scheme

[Sysname-radius-radius1] primary accounting 10.110.1.2 1813

1.2.11 primary authentication

Syntax

primary authentication ip-address [ port-number ]

undo primary authentication

View

RADIUS scheme view

Parameter

ip-address: IP address, in dotted decimal notation.

port-number : UDP port number, ranging from 1 to 65535.

Description

Use the primary authentication command to set the IP address and port number of

the primary RADIUS authentication/authorization server.

Use the undo primary authentication command to restore the default IP address and

port number of the primary RADIUS authentication/authorization server.

By default, the system defines the RADIUS scheme system, with the IP address of the

primary accounting server as 127.0.0.1 and UDP port number as 1646; for a

newly-defined RADIUS scheme, the IP address of the primary accounting server is

127.0.0.1 and UDP port number is 1812.

Note that:

z After creating a new RADIUS scheme, you should configure the IP address and

UDP port number of each RADIUS server you want to use in this scheme. These

RADIUS servers fall into two types: authentication/authorization, and accounting.

And for each kind of server, you can configure two servers in a RADIUS scheme:primary and secondary servers. A RADIUS scheme has the following attributes: IP

addresses of the primary and secondary servers, shared keys, and types of the

RADIUS servers.

z In an actual network environment, you can configure the above parameters as

required. But you should configure at least one authentication/authorization server

and one accounting server, and at the same time, you should keep the RADIUS

service port settings on the switch consistent with those on the RADIUS servers.


authentication/authorization servers; otherwise, unsuccessful operation is

prompted







1-43


Example

# Set the IP address and UDP port number of the primary authentication/authorizationserver used by the RADIUS scheme radius1 to 10.110.1.1 and 1812.




New Radius scheme

[Sysname-radius-radius1] primary authentication 10.110.1.1 1812

1.2.12 radius client

Syntax

radius client enable

undo radius client

View

System view

Parameter

None

Description

Use the radius client enable command to enable the RADIUS client port.

Use the undo radius client command to disable the RADIUS client port.

By default, a RADIUS client port is enabled.

Note that:

z After the RADIUS client port is disabled, for online users, Accounting-Request

(stop) packets can neither be sent nor be buffered. Meanwhile, the RADIUS server

cannot receive the packets of the online users going offline; in this case, an offlineuser may remain connected to the server for a period of time. If the local device is

used as the RADIUS server, after the port is disabled, the number of connected

local users remains that before the port is disabled and cannot be updated

automatically.

z After the RADIUS client port is disabled, if a RADIUS + local

authentication/authorization/accounting scheme is used for a new authentication

request, local authentication/authorization/accounting scheme is used if the

request fails RADIUS authentication.







z After the RADIUS client port is disabled, the sending of real-time

accounting-request packets buffered fails and these packets will be removed for

the buffer after the number of sending failures reaches the limit.

Related command: radius scheme

1.2.13 radius nas-ip

Syntax

radius nas-ip ip-address

undo radius nas-ip

View

System view

Parameter

ip-address: Source IP address, an IP address of this device. This address cannot be an

all-zero address, class D address, or loopback address.

Description

Use the radius nas-ip command to set the source IP address used by the switch to

send RADIUS packets.

Use the undo radius nas-ip command to restore the default setting.

By default, no source IP address is specified, and the IP address of the outbound

interface is used as the source IP address of the packet.

Note:

The nas-ip command in RADIUS scheme view has the same function as the radius

nas-ip command in system view; and the priority of configuration in RADIUS scheme

view is higher than in system view.

Note that:

z You can specify the source IP address used to send RADIUS packet to prevent

the unreachability of the packets returned from the server due to physical interface

trouble. It is recommended to use the loopback interface address as the source IP

address.

z You can specify only one source IP address by using this command. When you

use this command again, the newly specified source IP address will overwrite the

old one.







1-45

Related command: nas-ip.

Example

# Set the source IP address used by the switch to send the RADIUS packets to129.10.10.1.



[Sysname] radius nas-ip 129.10.10.1

1.2.14 radius scheme

Syntax

radius scheme radius-scheme-name

undo radius scheme radius-scheme-name

View

System view

Parameter

radius-scheme-name : Name of the RADIUS scheme, a character string of up to 32

case-insensitive characters.

To avoid the case where the display radius statistics command is shown in a fuzzy

matching manner when you enter the display radius keywords, you are not

recommended to define radius-scheme-name as “statistics” or the first several

characters.

Description

Use the radius scheme command to create a RADIUS scheme and enter its view.

Use the undo radius scheme command to delete the specified RADIUS scheme.

By default, a RADIUS scheme named "system" has already been created in the

system.

Note that:

z All the attributes of the RADIUS scheme "system" take the default values, which

you can see by using the display radius scheme command.

z The RADIUS protocol configuration is performed on a RADIUS scheme basis. For

each RADIUS scheme, you should specify at least the IP addresses and UDP port

numbers of the RADIUS authentication/authorization and accounting servers, and

the parameters required for the RADIUS client to interact with the RADIUS

servers.

z A RADIUS scheme can be referenced by multiple ISP domains simultaneously.







z The undo radius scheme command cannot be used to delete the default

RADIUS scheme. In addition, you cannot delete a RADIUS scheme which is being

used by an online user.

Related command: key, retry realtime-accounting, timer realtime-accounting,stop-accounting-buffer enable, retry stop-accounting, server-type, state,

user-name-format, retry, display radius and display radius statistics.

Example

# Create a RADIUS scheme named radius1 and enter its view.




New Radius scheme

[Sysname-radius-radius1]

1.2.15 radius trap

Syntax

radius trap { accounting-server-down | authentication-server-down }

undo radius trap { accounting-server-down | authentication-server-down }

View

System view

Parameter

accounting-server-down: Enables sending traps when the RADIUS accounting

server gives no response.

authentication-server-down : Enables sending traps when the RADIUS

authentication server gives no response.

Description

Use the radius trap command to enable the RADIUS trap function.

Use the undo radius trap command to disable the RADIUS trap function.

By default, RADIUS trap is disabled.

After the RADIUS trap function is enabled, the following happens. If the RADIUS server

does not respond to the accounting or authentication request packets from an NAS, the

NAS retransmits accounting or authentication request packets to the server. When the

number of packet transmissions from the NAS to the server reaches one half of the

maximum transmission number, the system sends a trap message once; when this

number reaches the maximum, the system sends a trap message once again.







1-47

If the maximum transmission number is an odd number, "one half of the maximum

transmission number" takes the value of the smallest integer that is greater than one

half of the maximum transmission number.

Example

# Enable sending traps when the RADIUS accounting server gives no response.


[Sysname] radius trap accounting-server-down

# Disable sending traps when the RADIUS accounting server gives no response.

[Sysname] undo radius trap accounting-server-down

1.2.16 reset local-server statistics

Syntax

reset local-server statistics

View

User view

Description

Use the reset local-server statistics command to clear the statistics about the local

server.

Related command: display local-server statistics

Example

# Clear the statistics about the local server.

<Sysname> reset local-server statistics

1.2.17 reset radius statistics

Syntax

reset radius statistics

View

User view

Parameter

None







Description

Use the reset radius statistics command to clear the statistics about the RADIUS

protocol.


Example

# Clear the statistics about the RADIUS protocol.

<Sysname> reset radius statistics

1.2.18 reset stop-accounting-buffer

Syntax

reset stop-accounting-buffer { radius-scheme radius-scheme-name | session-id

session-id | time-range start-time stop-time | user-name user-name }

View

User view

Parameter

radius-scheme radius-scheme-name : Deletes the buffered stop-accounting requests

depending on the specified RADIUS scheme. Where, radius-scheme-name is the

name of a RADIUS scheme. This name is a character string of up to 32 characters.session-id session-id : Deletes the buffered stop-accounting requests depending on

the specified session ID. Where, session-id is a character string of up to 50 characters.

time-range start-time stop-time: Deletes the buffered stop-accounting requests

depending on the time of the stop-accounting request. Where, start-time is the start

time of the request period., the stop-time is the end time of the request period, and both

are in the format hh:mm:ss-mm/dd/yyyy or hh:mm:ss-yyyy/mm/dd.

user-name user-name: Deletes the buffered stop-accounting request packets

depending on the specified user name. Where, user-name is a character string of up to

80 characters.

Description

Use the reset stop-accounting-buffer command to delete the buffered no-response

stop-accounting request packets.

Related command: stop-accounting-buffer enable, retry stop-accounting and

display stop-accounting-buffer .







1-49

Example

# Delete the stop-accounting request packets buffered in the system for the user

[email protected].

<Sysname> reset stop-accounting-buffer user-name [email protected]

# Delete the stop-accounting request packets buffered from 0:0:0 08/31/2002 to

23:59:59 08/31/2002 in the system.

<Sysname> reset stop-accounting-buffer time-range 00:00:00-08/31/2002

23:59:59-08/31/2002

1.2.19 retry

Syntax

retry retry-times

undo retry

View

RADIUS scheme view

Parameter

retry-times: Maximum number of RADIUS packet transmission attempts, ranging from

1 to 20.

Description

Use the retry command to set the maximum number of RADIUS packet transmission

attempts.

Use the undo retry command to restore maximum number of RADIUS packet

transmission attempts to the default value.

By default, the maximum number of RADIUS packet transmission attempts is 3.

Note that:

z The communication in RADIUS is unreliable because this protocol adopts UDP

packets to carry data. Therefore, it is necessary for the switch to retransmit a

RADIUS request if it gets no response from the RADIUS server after the response

timeout timer expires. If the maximum number of transmission attempts is reached

but the switch still receives no response, the switch considers that the request

fails.

z Appropriately set this maximum number of transmission attempts according to the

network situation can improve the reacting speed of the system.

z The product of the maximum RADIUS packet transmission attempts and the

response timeout timer for the RADIUS server can be no more than 75 seconds.

Related command: radius scheme and timer response-timeout.







Example

# Set the maximum transmission times of RADIUS requests in the RADIUS scheme

radius1 to five.




New Radius scheme

[Sysname-radius-radius1] retry 5

1.2.20 retry realtime-accounting

Syntax

retry realtime-accounting retry-times

undo retry realtime-accounting

View

RADIUS scheme view

Parameter

retry-times: Maximum number of real-time accounting request attempts, ranging from 1

to 255.

Description

Use the retry realtime-accounting command to set the maximum number of real-time

accounting request attempts.

Use the undo retry realtime-accounting command to restore the default maximum

number of real-time accounting request attempts.

By default, the system can allow five real-time accounting request attempts at most.

Note that:

z Generally, the RADIUS server uses the connection timeout timer to determine

whether a user is online or not. If the RADIUS server receives no real-time

accounting packet for a specified period of time, it will consider that the line or the

switch is in trouble and stop the accounting of the user. To make the switch

cooperate with this feature on the RADIUS server, it is necessary to cut down the

user connection on the switch as soon as possible after the RADIUS server

terminates the charging and connection of the user in the case of unforeseen

trouble. For this purpose, you can limit the number of continuous real-time

no-response accounting requests, and the switch will cut down the user

connection if it sends out the maximum number of real-time accounting requests

but does not receive any response.







1-51

z A real-time account request may be sent multiple times (set by the retry command

in RADIUS scheme view) for an accounting attempt. If no response is received

even after the number of transmission attempts reaches the maximum, the

accounting attempt fails. Suppose that the response timeout time of the RADIUSserver is three seconds (set by the timer response-timeout command), that the

maximum number of transmission attempts (set by the retry command) is 3, and

that the real-time accounting interval is 12 minutes (set by the timer

realtime-accounting command), the maximum number of real-time accounting

request attempts is 5 (set by the retry realtime-accounting command). In this

case, the switch sends an accounting request every 12 minutes; if the switch does

not receive a response within 3 seconds after it sends out an accounting request, it

resends the request; if the switch continuously sends the accounting request for

three times but does not receive any response; it considers this real-time

accounting a failure. Then, the switch sends the accounting request every 12

minutes; if the number of accounting failures exceeds five, the user connection is

cut down. In general, the product of T and retry-times should be less than t.

Related command: radius scheme and timer realtime-accounting.

Example

# Allow the switch to continuously send at most 10 real-time accounting requests if it

gets no response for the RADIUS scheme radius1.




New Radius scheme

[Sysname-radius-radius1] retry realtime-accounting 10

1.2.21 retry stop-accounting

Syntax

retry stop-accounting retry-times

undo retry stop-accounting

View

RADIUS scheme view

Parameter

retry-times: Maximum number of stop-accounting request failures allowed, ranging

from 10 to 65,535.







Description

Use the retry stop-accounting command to set the maximum number of

stop-accounting request failures. After this number is reached, the device removes the

buffered stop-accounting request packets.

Use the undo retry stop-accounting command to restore the default maximum

number of stop-accounting request failures.

By default, up to 500 stop-accounting request failures are allowed.

Note that:

z Stop-accounting requests are critical to billing and will eventually affect the

charges of the users; they are important for both the users and the ISP. Therefore,

the switch should do its best to transmit them to the RADIUS accounting server. If

the RADIUS server does not respond to such a request, the switch should firstbuffer the request on itself, and then retransmit the request to the RADIUS

accounting server until it gets a response, or the maximum number of

transmission attempts is reached (in this case, it discards the request).

z Assume the response timeout timer for the RADIUS server is set to 3 seconds

(with the timer response-timeout command), transmission attempts to 5 (with

the retry command), and the device allows up to 20 stop-accounting request

failures (with the retry stop-accounting command). This means that if the device

receives no response to the stop-accounting request it has sent within 3 seconds,

the device retransmits the request; if the device receives no response after it

sends the request five times, the device considers that the stop-accounting

request failed and buffers the request on itself. Then, the device sends another

request to repeat the above-mentioned process. If no response is received with 20

request attempts made, the device removes the buffered stop-accounting request

packets.

Related command: reset stop-accounting-buffer , radius scheme and display

stop-accounting-buffer .

Example

# In RADIUS scheme radius1, specify that up to 1,000 stop-accounting request failuresare allowed.



[Sysname-radius-radius1] retry stop-accounting 1000

1.2.22 secondary accounting

Syntax

secondary accounting ip-address [ port-number ]







1-53

undo secondary accounting

View

RADIUS scheme view

Parameter

ip-address: IP address, in dotted decimal notation. By default, the IP address of the

secondary accounting server is 0.0.0.0.

port-number : UDP port number, ranging from 1 to 65535. By default, the UDP port

number of the secondary accounting service is 1813.

Description

Use the secondary accounting command to set the IP address and port number of

the secondary RADIUS accounting server.

Use the undo secondary accounting command to restore the default IP address and

port number of the secondary RADIUS accounting server.

You are not allowed to assign the same IP address to both primary and secondary

accounting servers; otherwise, unsuccessful operation is prompted


Example

# Set the IP address and UDP port number of the secondary accounting server of theRADIUS scheme radius1 to 10.110.1.1 and 1813.




New Radius scheme

[Sysname-radius-radius1] secondary accounting 10.110.1.1 1813

1.2.23 secondary authentication

Syntax

secondary authentication ip-address [ port-number ]

undo secondary authentication

View

RADIUS scheme view

Parameter

ip-address: IP address, in dotted decimal notation. By default, the IP address of the

secondary authentication/authorization server is 0.0.0.0.







port-number : UDP port number, ranging from 1 to 65535. By default, the UDP port

number of the secondary authentication/authorization service is 1812.

Description

Use the secondary authentication command to set the IP address and port number of

the secondary RADIUS authentication/authorization server.

Use the undo secondary authentication command to restore the default IP address

and port number of the secondary RADIUS authentication/authorization server.


Example

# Set the IP address and UDP port number of the secondary

authentication/authorization server used by the RADIUS scheme radius1 to 10.110.1.2and 1812.




New Radius scheme

[Sysname-radius-radius1] secondary authentication 10.110.1.2 1812

1.2.24 server-type

Syntax

server-type { extended | standard }

undo server-type

View

RADIUS scheme view

Parameter

extended: Specifies to use extended RADIUS protocol (such as the procedure and

packet format) to interact with the extended RADIUS server, which is generally the

CAMS.

standard: Specifies to use standard RADIUS protocol. That is, it is required that the

RADIUS client (on the switch) and the RADIUS server interact with each other following

the procedure and packet format of the standard RADIUS protocol (RFC2138/2139 or

above).

Description

Use the server-type command to specify the RADIUS server type supported by the

switch.







1-55

Use the undo server-type command to restore the default RADIUS server type

supported by the switch.

By default, the switch supports the standard type of RADIUS server. The type of

RADIUS server in the default RADIUS scheme "system" is extended.


Example

# Set the RADIUS server type in RADIUS scheme radius1 to extended.




New Radius scheme

[Sysname-radius-radius1] server-type extended

1.2.25 state

Syntax

state { primary | secondary } { accounting | authentication } { block | active }

View

RADIUS scheme view

Parameter

primary: Specifies the server to be set is a primary RADIUS server.

secondary: Specifies the server to be set is a secondary RADIUS server.

accounting: Specifies the server to be set is a RADIUS accounting server.

authentication: Specifies the server to be set is a RADIUS

authentication/authorization server.

block: Sets the status of the specified RADIUS server to block (that is, the down state).

active: Sets the status of the specified RADIUS server to active (that is, the normal

working state).

Description

Use the state command to set the status of a RADIUS server.

By default, all the RADIUS servers in a user-defined RADIUS scheme are in the active

state;

For the primary and secondary servers (authentication/authorization servers, or

accounting servers) in a RADIUS scheme, note that:







z When the switch fails to communicate with the primary server due to some server

trouble, the switch will actively exchange packets with the secondary server.

z After the time the primary server keeps in the block state exceeds the time set with

the timer quiet command, the switch will try to communicate with the primary

server again when it has a RADIUS request. If the primary server recovers, the

switch immediately restores the communication with the primary server instead of

communicating with the secondary server, and at the same time restores the

status of the primary server on the switch to the active state while keeping the

status of the secondary server unchanged.

z When both the primary and secondary servers are in the active state, the switch

sends packets only to the primary server.

Related command: radius scheme, primary authentication, secondary

authentication, primary accounting and secondary accounting.

Example

# Set the status of the secondary authentication server in RADIUS scheme radius1 to

active.




New Radius scheme

[Sysname-radius-radius1] state secondary authentication active

1.2.26 stop-accounting-buffer enable

Syntax

stop-accounting-buffer enable

undo stop-accounting-buffer enable

View

RADIUS scheme view

Parameter

None

Description

Use the stop-accounting-buffer enable command to enable the switch to buffer the

stop-accounting requests that bring no response.

Use the undo stop-accounting-buffer enable command to disable the switch from

buffering the stop-accounting requests that bring no response.







1-57

By default, the switch is enabled to buffer the stop-accounting requests that bring no

response.

Stop-accounting requests are critical to billing and will eventually affect the charges;

they are important for both the users and the ISP. Therefore, the switch should do itsbest to transmit them to the RADIUS server. If the RADIUS accounting server does not

respond to such a request, the switch should first buffer the request on itself, and then

retransmit the request to the RADIUS accounting server until it gets a response, or the

maximum number of transmission attempts is reached (in this case, it discards the

request).

Related command: reset stop-accounting-buffer , radius scheme and display


Example

# Enable the switch to buffer the stop-accounting requests that bring no response from

the servers in RADIUS scheme radius1.




New Radius scheme

[Sysname-radius-radius1] stop-accounting-buffer enable

1.2.27 timer quiet

Syntax

timer quiet minutes

undo timer quiet

View

RADIUS scheme view

Parameter

minutes: Wait time, ranging from 1 minute to 255 minutes. By default, it is 5 minutes.

Description

Use the timer quiet command to set the wait time for the primary server to restore the

active state.

Use the undo timer quiet command to restore the default wait time.








Example

# Set the wait time for the primary server to restore the active state to 10 minutes.




New Radius scheme

[Sysname-radius-radius1] timer quiet 10

1.2.28 timer realtime-accounting

Syntax

timer realtime-accounting minutes

undo timer realtime-accounting

View

RADIUS scheme view

Parameter

minutes: Real-time accounting interval. It ranges from 3 minutes to 60 minutes and

must be a multiple of 3. By default, this interval is 12 minutes.

Description

Use the timer realtime-accounting command to set the real-time accounting interval.

Use the undo timer realtime-accounting command to restore the default real-time

accounting interval.

Note that:

z To charge the users in real time, you should set the interval of real-time accounting.

After the setting, the switch sends the accounting information of online users to the

RADIUS server at regular intervals.

z The setting of the real-time accounting interval depends to some degree on the

performance of the switch and the RADIUS server. The higher the performance of the switch and the RADIUS server is, the shorter the interval can be. You are

recommended to set the interval as long as possible when the number of users is

relatively great (ƒ 1000). Table 1-5 lists the numbers of users and the

corresponding recommended intervals.

Table 1-5 Numbers of users and corresponding recommended intervals

Number of users Real-time accounting interval

1 to 99 3

100 to 499 6







1-59

Number of users Real-time accounting interval

500 to 999 12

ƒ 1000 ƒ 15

Related command: retry realtime-accounting and radius scheme.

Example

# Set the real-time accounting interval of the RADIUS scheme radius1 to 51 minutes.




New Radius scheme[Sysname-radius-radius1] timer realtime-accounting 51

1.2.29 timer response-timeout

Syntax

timer response-timeout seconds

undo timer response-timeout

View

RADIUS scheme view

Parameter

seconds: Response timeout time of RADIUS servers, ranging from 1 second to 10

seconds.

Description

Use the timer response-timeout command to set the response timeout time of

RADIUS servers.

Use the undo timer response-timeout command to restore the default response

timeout timer of RADIUS servers.

By default, the response timeout time of the RADIUS server is 3 seconds.

Note that:

z If the switch gets no response from the RADIUS server after sending out a

RADIUS request (authentication/authorization request or accounting request) and

waiting for a time, it should retransmit the packet to ensure that the user can obtain

the RADIUS service. This wait time is called response timeout time of RADIUS

servers; and the timer in the switch system that is used to control this time is called







the response timeout timer of RADIUS servers. You can use the timer

response-timeout command to set the timeout time of this timer.

z Appropriately setting the timeout time of this timer according to the network

situation can improve the performance of the system.

z The product of the maximum RADIUS packet transmission attempts and the

response timeout timer for the RADIUS server can be no more than 75 seconds.

Related command: radius scheme and retry.

Example

# Set the response timeout time in the RADIUS scheme radius1 to five seconds.




New Radius scheme

[Sysname-radius-radius1] timer response-timeout 5

1.2.30 user-name-format

Syntax

user-name-format { with-domain | without-domain }

View

RADIUS scheme view

Parameter

with-domain: Specifies to include ISP domain names in the user names to be sent to

RADIUS servers.

without-domain: Specifies to exclude ISP domain names from the user names to be

sent to RADIUS servers.

Description

Use the user-name-format command to set the format of the user names to be sent toRADIUS server

By default, except for the default RADIUS scheme "system", the user names sent to

RADIUS servers in any RADIUS scheme carry ISP domain names.

Note that:

z Generally, an access user is named in the userid@isp-name format. Where,

isp-name behind the @ character represents the ISP domain name, by which the

device determines which ISP domain it should ascribe the user to. However, some

old RADIUS servers cannot accept the user names that carry ISP domain names.

In this case, it is necessary to remove the domain names carried in the user







1-61

names before sending the user names to the RADIUS server. For this reason, the

user-name-format command is designed for you to specify whether or not ISP

domain names are carried in the user names sent to the RADIUS server.

z

For a RADIUS scheme, if you have specified that no ISP domain names arecarried in the user names, you should not use this RADIUS scheme in more than

one ISP domain. Otherwise, such errors may occur: the RADIUS server regards

two different users having the same name but belonging to different ISP domains

as the same user (because the user names sent to it are the same).


Example

# Specify that the user names sent to a RADIUS server in RADIUS scheme radius1

does not carry ISP domain names.




New Radius scheme

[Sysname-radius-radius1] user-name-format without-domain

1.3 HWTACACS Configuration Commands

1.3.1 data-flow-format

Syntax

data-flow-format { data { byte | giga-byte | kilo-byte | mega-byte } | packet

{ giga-packet | kilo-packet | mega-packet | one-packet } }*

undo data-flow-format { data | packet }

View

HWTACACS view

Parameter

data: Sets data unit.

byte: Sets 'byte' as the unit of data flow.

giga-byte: Sets 'giga-byte' as the unit of data flow.

kilo-byte: Sets 'kilo-byte' as the unit of data flow.

mega-byte: Sets 'mega-byte' as the unit of data flow.

packet: Sets data packet unit.

giga-packet: Sets 'giga-packet' as the unit of packet flow.

kilo-packet: Sets 'kilo-packet' as the unit of packet flow.







mega-packet: Sets 'mega-packet' as the unit of packet flow.

one-packet: Sets 'one-packet' as the unit of packet flow.

Description

Use the data-flow-format command to configure the unit of data flows sent to the

TACACS server.

Use the undo data-flow-format command to restore the default.

By default, the data unit is byte and the data packet unit is one-packet.

Related command: display hwtacacs.

Example

# Set the unit of data flow destined for the HWTACACS server to kilo-byte and the data

packet unit to kilo-packet.



[Sysname] hwtacacs scheme hwt1

[Sysname- hwtacacs-hwt1] data-flow-format data kilo-byte

[Sysname- hwtacacs-hwt1] data-flow-format packet kilo-packet

1.3.2 display hwtacacs

Syntax

display hwtacacs [ hwtacacs-scheme-name [ statistics ] ]

View

Any view

Parameter

hwtacacs-scheme-name : HWTACACS scheme name, a string of 1 to 32

case-insensitive characters. If no HWTACACS scheme is specified, the system

displays the configuration of all HWTACACS schemes.

statistics: Displays complete statistics about the HWTACACS server.

Description

Use the display hwtacacs command to view configuration or statistics information of

specified or all HWTACACS schemes.

Related command: hwtacacs scheme.

Example

# View configuration information of HWTACACS scheme gy.







1-63

<Sysname> display hwtacacs gy

--------------------------------------------------------------------------

HWTACACS-server template name : gy

Primary-authentication-server : 0.0.0.0:0

Primary-authorization-server : 0.0.0.0:0

Primary-accounting-server : 0.0.0.0:0

Secondary-authentication-server : 0.0.0.0:0

Secondary-authorization-server : 0.0.0.0:0

Secondary-accounting-server : 0.0.0.0:0

Current-authentication-server : 0.0.0.0:0

Current-authorization-server : 0.0.0.0:0

Current-accounting-server : 0.0.0.0:0

Nas-IP address : 0.0.0.0

key authentication : -

key authorization : -

key accounting : -

Quiet-interval(min) : 5

Realtime-accounting-interval(min) : 12

Response-timeout-interval(sec) : 5

Acct-stop-PKT retransmit times : 100

Domain-included : Yes

Data traffic-unit : B

Packet traffic-unit : one-packet

--------------------------------------------------------------------------

Total 1 HWTACACS scheme(s),1 listed

Table 1-6 Description on the fields of the display hwtacacs command

Field Description

HWTACACS-server template name HWTACACS server scheme name

Primary-authentication-server Primary authentication server

Primary-authorization-server Primary authorization server

Primary-accounting-server Primary accounting server Secondary-authentication-server Secondary authentication server

Secondary-authorization-server Secondary authorization server

Secondary-accounting-server Secondary accounting server

Current-authentication-server Current authentication server

Current-authorization-server Current authorization server

Current-accounting-server Current accounting server







Field Description

NAS-IP-address NAS IP address

key authentication Authentication key

key authorization Authorization key

key accounting Accounting key

Quiet-intervalWait time for the primary servers to restorethe active state

Realtime-accounting-interval Real-time accounting interval

Response-timeout-interval Response timeout time of the server

Acct-stop-PKT retransmit times Accounting-stop packet retransmissiontimes

Domain-included Domain included

Data traffic-unit Unit of data traffic

Packet traffic-unit Unit of packet traffic

1.3.3 display stop-accounting-buffer

Syntax

display stop-accounting-buffer { hwtacacs-scheme hwtacacs-scheme-name |session-id session-id | time-range start-time stop-time | user-name user-name }

View

Any view

Parameter

hwtacacs-scheme hwtacacs-scheme-name : Displays information on buffered

stop-accounting requests according to the HWTACACS scheme specified by

hwtacacs-scheme-name , the name of HWTACACS scheme, a character string of up to

32 characters.

session-id session-id : Displays information on buffered stop-accounting requests

according to the session ID specified by session-id , a character string of up to 50

characters.

time-range start-time stop-time: Displays information on buffered stop-accounting

requests according to the request time, where, start-time is the start time of the

stop-accounting request; stop-time is the end time of stop-accounting request. This

argument is in the format hh:mm:ss - mm/dd/yyyy or hh:mm:ss-yyyy/mm/dd and is

used to display the buffered stop-accounting requests from the start time to the end

time.







1-65

user-name user-name: Displays information on buffered stop-accounting requests

according to the user name specified by user-name, a character string of up to 80

characters,

Description

Use the display stop-accounting-buffer command to view information on the

stop-accounting requests buffered in the switch.

Related command: reset stop-accounting-buffer , stop-accounting-buffer enable,

and retry stop-accounting.

Example

# Display the stop-accounting requests buffered in the HWTACACS scheme “hwt1".

<Sysname> display stop-accounting-buffer hwtacacs-scheme hwt1

1.3.4 hwtacacs nas-ip

Syntax

hwtacacs nas-ip ip-address

undo hwtacacs nas-ip

View

System view

Parameter

ip-address: Specifies a source IP address for the switch, which cannot be an all-zero

address, class D address or loopback address.

Description

Use the hwtacacs nas-ip command to specify the source address of the hwtacacs

packet sent from NAS.

Use the undo hwtacacs nas-ip command to restore the default setting.

By default, the source address is not specified, that is, the address of the interface

sending the packet serves as the source address.

Note that:

z By specifying the source address of the hwtacacs packet, you can avoid

destination unreachable packets as returned from the server upon interface failure.

The source address is normally recommended to be a loopback interface address.

z This command specifies only one source address; therefore, the newly configured

source address may overwrite the original one.







z The nas-ip command in HWTACACS scheme view only takes effect for the

current HWTACACS scheme, while that in system view is for all HWTACACS

schemes. The former one takes priority in implementation.

Related command: nas-ip.

Example

# Configure the router to send hwtacacs packets from 129.10.10.1.



[Sysname] hwtacacs nas-ip 129.10.10.1

1.3.5 hwtacacs scheme

Syntax

hwtacacs scheme hwtacacs-scheme-name

undo hwtacacs scheme hwtacacs-scheme-name

View

System view

Parameter

hwtacacs-scheme-name : Specifies an HWTACACS server scheme, with a character

string of up to 32 case-insensitive characters.

Description

Use the hwtacacs scheme command to create an HWTACACS scheme and enter its

view.

Use the undo hwtacacs scheme command to delete the HWTACACS scheme.

By default, no HWTACACS scheme exists.

Example

# Create an HWTACACS scheme named "hwt1" and enter the relevant HWTACACS

view.




[Sysname-hwtacacs-hwt1]







1-67

1.3.6 key

Syntax

key { accounting | authentication | authorization } string

undo key { accounting | authentication | authorization }

View

HWTACACS scheme view

Parameter

accounting: Specifies a shared key for the accounting server.

authentication: Specifies a shared key for HWTACACS authentication packets.

authorization: Specifies a shared key for HWTACACS authorization packets.

string : Shared key, a string of 1 to 16 characters.

Description

Use the key command to configure a shared key for HWTACACS authentication,

authorization or accounting.

Use the undo key command to delete the configuration.

By default, no key is set for any HWTACACS server.


Example

# Use hello as the shared key for HWTACACS accounting packets.




[Sysname-hwtacacs-hwt1] key accounting hello

1.3.7 nas-ip

Syntax

nas-ip ip-address

undo nas-ip

View








Parameter

ip-address: Specified source IP address which cannot be an all-zero address, class D

address or loopback address.

Description

Use the nas-ip command to specify the source address for sending HWTACACS

packets.

Use the undo nas-ip command to restore the default setting.

Note that:

z By specifying the source address of the hwtacacs packet, you can avoid

destination unreachable packets as returned from the server upon interface failure.

The source address is normally recommended to be a loopback interface address.

z This command specifies only one source address; therefore, the newly configured

source address may overwrite the original one.

z The nas-ip command in HWTACACS scheme view only takes effect for the

current HWTACACS scheme, while that in system view is for all HWTACACS

schemes. The former one takes priority in implementation.

Related command: hwtacacs nas-ip.

Example

# Set the source IP address of the HWTACACS packets to 10.1.1.1.




[Sysname-hwtacacs-hwt1] nas-ip 10.1.1.1

1.3.8 primary accounting

Syntax

primary accounting ip-address [ port-number ]

undo primary accounting

View


Parameter

ip-address: IP address of the server, a valid unicast address in dotted decimal format.

By default, the IP address of the primary accounting server is 0.0.0.0.

port-number : Port number of the server, which is in the range 1 to 65535 and defaults to

49.







1-69

Description

Use the primary accounting command to configure a primary HWTACACS

accounting server.

Use the undo primary accounting command to delete the configured primary

HWTACACS accounting server.

Note that:



z If you repeatedly use this command, the latest configuration overwrites the

previous one.

z You can remove an accounting server only when it is not being used by any active

TCP connections, and the removal impacts only packets forwarded afterwards.

Example

# Configure a primary accounting server.



[Sysname] hwtacacs scheme test1

[Sysname-hwtacacs-test1] primary accounting 10.163.155.12 49

1.3.9 primary authentication

Syntax

primary authentication ip-address [ port-number ]

undo primary authentication

View


Parameter


By default, the IP address of the primary authentication server is 0.0.0.0.


49.

Description

Use the primary authentication command to configure a primary HWTACACS


Use the undo primary authentication command to delete the configured








Note that:


authentication servers; otherwise, unsuccessful operation is prompted.

z If you repeatedly use this command, the latest configuration overwrites theprevious one.

z You can remove an authentication server only when it is not being used by any

active TCP connections, and the removal impacts only packets forwarded

afterwards.


Example

# Configure a primary authentication server.

<Sysname> system-viewSystem View: return to User View with Ctrl+Z.


[Sysname-hwtacacs-hwt1] primary authentication 10.163.155.13 49

1.3.10 primary authorization

Syntax

primary authorization ip-address [ port-number ]

undo primary authorization

View


Parameter


By default, the IP address of the primary authentication server is 0.0.0.0.


49.

Description

Use the primary authorization command to configure a primary HWTACACS

authorization server.

Use the undo primary authorization command to delete the configured primary


Note that:


authorization servers; otherwise, unsuccessful operation is prompted.







1-71


previous one.

z You can remove an authorization server only when it is not being used by any

active TCP connections, and the removal impacts only packets forwardedafterwards.


Example

# Configure a primary authorization server.




[Sysname-hwtacacs-hwt1] primary authorization 10.163.155.13 49

1.3.11 reset hwtacacs statistics

Syntax

reset hwtacacs statistics { accounting | authentication | authorization | all }

View

User view

Parameter

accounting: Clears all the HWTACACS accounting statistics.

authentication: Clears all the HWTACACS authentication statistics.

authorization: Clears all the HWTACACS authorization statistics.

all: Clears all statistics.

Description

Use the reset hwtacacs statistics command to clear HWTACACS protocol statistics.


Example

# Clear all HWTACACS protocol statistics.

<Sysname> reset hwtacacs statistics all







1.3.12 reset stop-accounting-buffer

Syntax

reset stop-accounting-buffer { hwtacacs-scheme hwtacacs-scheme-name |session-id session-id | time-range start-time stop-time | user-name user-name }

View

User view

Parameter

hwtacacs-scheme hwtacacs-scheme-name : Configures to delete the stop-accounting

requests from the buffer according to the specified HWTACACS scheme name. The

hwtacacs-scheme-name specifies the HWTACACS scheme name with a character

string of up to 32 characters.

session-id session-id : Displays information on buffered stop-accounting requests

according to the session ID specified by session-id , a character string of up to 50

characters.

time-range start-time stop-time: Displays information on buffered stop-accounting

requests according to the request time, where, start-time is the start time of the

stop-accounting request; stop-time is the end time of stop-accounting request. This

argument is in the format hh:mm:ss - mm/dd/yyyy or hh:mm:ss-yyyy/mm/dd and is

used to display the buffered stop-accounting requests from the start time to the end

time.

user-name user-name: Displays information on buffered stop-accounting requests

according to the user name specified by user-name, a character string of up to 80

characters,

Description

Use the reset stop-accounting-buffer command to clear the stop-accounting

requests that have no response and are buffered on the switch.

Related command: stop-accounting-buffer enable, retry stop-accounting, display


Example

# Delete the buffered stop-accounting requests that are according to the HWTACACS

scheme “hwt1”.

<Sysname> reset stop-accounting-buffer hwtacacs-scheme hwt1







1-73

1.3.13 retry stop-accounting

Syntax

retry stop-accounting retry-times

undo retry stop-accounting

View


Parameter

retry-times: Maximum number of real-time stop-accounting request attempts. It is in the

range 1 to 300 and defaults to 100.

Description

Use the retry stop-accounting command to enable stop-accounting packet

retransmission and configure the maximum number of stop-accounting request

attempts.

Use the undo retry stop-accounting command to restore the default setting.

By default, stop-accounting packet retransmission is enabled and has 100 attempts for

each request.

Related command: reset stop-accounting-buffer , hwtacacs scheme, and display


Example

# Enable stop-accounting packet retransmission and allow up to 50 attempts for each

request.




[Sysname-hwtacacs-hwt1] retry stop-accounting 50

1.3.14 secondary accounting

Syntax

secondary accounting ip-address [ port-number ]

undo secondary accounting

View








Parameter


By default, the IP address of the secondary accounting server is 0.0.0.0.

port-number : Port number of the server, which is in the range of 1 to 65535 and defaults

to 49.

Description

Use the secondary accounting command to configure a secondary HWTACACS

accounting server.

Use the undo secondary accounting command to delete the configured secondary

TACACS accounting server.

Note that:




previous one.

z You can remove an accounting server only when it is not being used by any active

TCP connections.

Example

# Configure a secondary accounting server.




[Sysname-hwtacacs-hwt1] secondary accounting 10.163.155.12 49

1.3.15 secondary authentication

Syntax

secondary authentication ip-address [ port-number ]

undo secondary authentication

View


Parameter


By default, the IP address of the secondary authentication server is 0.0.0.0.

port-number : Port number of the server, which is in the range of 1 to 65535 and defaults

to 49.







1-75

Description

Use the secondary authentication command to configure a secondary HWTACACS


Use the undo secondary authentication command to delete the configured

secondary authentication server.

Note that:


authentication servers; otherwise, unsuccessful operation is prompted.


previous one.

z You can remove an authentication server only when it is not being used by any

active TCP connections.


Example

# Configure a secondary authentication server.




[Sysname-hwtacacs-hwt1] secondary authentication 10.163.155.13 49

1.3.16 secondary authorization

Syntax

secondary authorization ip-address [ port-number ]

undo secondary authorization

View


Parameter


By default, the IP address of the secondary authorization server is 0.0.0.0.

port-number : Port number of the server, in the range of 1 to 65535. By default, it is 49.

Description

Use the secondary authorization command to configure a secondary HWTACACS


Use the .undo secondary authorization command to delete the configured

secondary authorization server.







Note that:


authorization servers.

z If you repeatedly use this command, the latest configuration overwrites theprevious one.

z You can remove an authorization server only when it is not being used by any

active TCP connections.


Example

# Configure the secondary authorization server.


System View: return to User View with Ctrl+Z.[Sysname] hwtacacs scheme hwt1

[Sysname-hwtacacs-hwt1] secondary authorization 10.163.155.13 49

1.3.17 stop-accounting-buffer enable

Syntax

stop-accounting-buffer enable

undo stop-accounting-buffer enable

View


Parameter

None

Description

Use the stop-accounting-buffer enable command to enable the switch to buffer the

stop-accounting requests that bring no response.

Use the undo stop-accounting-buffer enable command to disable the switch from

buffering the stop-accounting requests that bring no response.

By default, the switch is enabled to buffer the stop-accounting requests that bring no

response.

Stop-accounting requests are critical to billing and will eventually affect the charges;

they are important for both the users and the ISP. Therefore, the switch should do its

best to transmit them to the RADIUS server. If the RADIUS accounting server does not

respond to such a request, the switch should first buffer the request on itself, and then

retransmit the request to the RADIUS accounting server until it gets a response, or the







1-77

maximum number of transmission attempts is reached (in this case, it discards the

request).

Related command: reset stop-accounting-buffer , hwtacacs scheme, display


Example

# Enable the switch to buffer the stop-accounting requests that bring no response from

the servers in HWTACACS scheme hwt1.




[Sysname-hwtacacs-hwt1] stop-accounting-buffer enable

1.3.18 timer quiet

Syntax

timer quiet minutes

undo timer quiet

View


Parameter

minutes: Length of the timer in minutes, in the range of 1 to 255. By default, the primary

server must wait five minutes before it resumes the active state.

Description

Use the timer quiet command to set the duration that a primary server must wait

before it can resume the active state.

Use the undo timer quiet command to restore the default (five minutes).


Example

# Set the quiet timer for the primary server to ten minutes.




[Sysname-hwtacacs-hwt1] timer quiet 10







1.3.19 timer realtime-accounting

Syntax

timer realtime-accounting minutes

undo timer realtime-accounting

View


Parameter

minutes: Real-time accounting interval, which is a multiple of 3 in the range 3 to 60

minutes.

Description

Use the timer realtime-accounting command to configure a real-time accounting

interval.

Use the undo timer realtime-accounting command to restore the default setting.

By default, the real-time accounting interval is 12 minutes.

Note that:

z Real-time accounting interval is necessary for real-time accounting. After an

interval value is set, the switch transmits the accounting information of online

users to the TACACS accounting server at intervals of this value.

z The setting of real-time accounting interval depends somewhat on the

performance of the switch and the TACACS server: A shorter interval requires

higher device performance. You are therefore recommended to adopt a longer

interval when there are a large number of users (more than 1000, inclusive). The

following table recommends the real-time accounting intervals for different

numbers of users.

Table 1-7 Recommended intervals for different numbers of users

Number of users Real-time accounting interval (minute)

1 – 99 3

100 – 499 6

500 – 999 12

≥1000 ≥15







1-79

Example

# Set the real-time accounting interval in the HWTACACS scheme “hwt1” to 51

minutes.




[Sysname-hwtacacs-hwt1] timer realtime-accounting 51

1.3.20 timer response-timeout

Syntax

timer response-timeout seconds

undo timer response-timeout

View


Parameter

seconds: Length of the response timer in seconds. It ranges from 1 to 300 and defaults

to 5.

Description

Use the timer response-timeout command to set the response timeout timer of the

TACACS server.

Use the undo timer response-timeout command to restore the default (five seconds).

As the HWTACACS is based on TCP, either the server response timeout and/or the

TCP timeout may cause disconnection to the TACACS server.


Example

# Set the response timeout time of the TACACS server to 30 seconds.




[Sysname-hwtacacs-hwt1] timer response-timeout 30

1.3.21 user-name-format

Syntax

user-name-format { with-domain | without-domain }





View


Parameter

with-domain: Specifies to send the username with a domain name to the TACACS

server.

without-domain: Specifies to send the username without any domain name to the

TACACS server.

Description

Use the user-name-format command to configure the username format sent to the

TACACS server.

By default, an HWTACACS scheme acknowledges that the username sent to it

includes an ISP domain name.

Note that:

z The supplicants are generally named in userid@isp-name format. The part

following the @ sign is the ISP domain name, according to which the switch

assigns a user to the corresponding ISP domain. However, some earlier TACACS

servers reject the user name including an ISP domain name. In this case, the user

name is sent to the TACACS server after its domain name is removed.

Accordingly, the switch provides this command to decide whether the username

sent to the TACACS server carries an ISP domain name or not.

z If a HWTACACS scheme is configured to reject usernames including ISP domain

names, the TACACS scheme shall not be simultaneously used in more than one

ISP domains. Otherwise, the TACACS server will regard two users in different ISP

domains as the same user by mistake, if they have the same username,

(excluding their respective domain names.)

Related command: hwtacacs scheme.

Example

# Specify to send the username without any domain name to the HWTACACS scheme"hwt1".

15 aaa radius hwtacacs command

Documents